From 23f0cc3b6e439e724fb424588ca8cfa320e26930 Mon Sep 17 00:00:00 2001
From: Brady Miller <brady.g.miller@gmail.com>
Date: Fri, 31 Aug 2018 22:04:48 -0700
Subject: [PATCH] csrf ongoing work (#1803)

---
 controllers/C_Document.class.php          |  2 ++
 interface/forms/LBF/new.php               | 15 ++++++++++-----
 interface/super/edit_globals.php          | 17 +++++++++++++++++
 interface/super/edit_layout.php           |  3 ++-
 interface/super/layout_listitems_ajax.php |  5 +++++
 interface/super/layout_service_codes.php  |  8 +++++++-
 interface/super/load_codes.php            | 12 +++++++++---
 library/ajax/ccr_import_ajax.php          |  5 +++++
 library/ajax/code_attributes_ajax.php     |  5 +++++
 library/ajax/collect_new_report_id.php    |  2 ++
 library/ajax/offsite_portal_ajax.php      |  5 +++++
 templates/documents/general_view.html     |  7 ++++---
 12 files changed, 73 insertions(+), 13 deletions(-)

diff --git a/controllers/C_Document.class.php b/controllers/C_Document.class.php
index 29ebd79a6..2626ba36b 100644
--- a/controllers/C_Document.class.php
+++ b/controllers/C_Document.class.php
@@ -341,6 +341,8 @@ class C_Document extends Controller
         $d = new Document($doc_id);
         $notes = $d->get_notes();
 
+        $this->assign("csrf_token_form", $_SESSION['csrf_token']);
+
         $this->assign("file", $d);
         $this->assign("web_path", $this->_link("retrieve") . "document_id=" . $d->get_id() . "&");
         $this->assign("NOTE_ACTION", $this->_link("note"));
diff --git a/interface/forms/LBF/new.php b/interface/forms/LBF/new.php
index e1caf485e..d50f53fcc 100644
--- a/interface/forms/LBF/new.php
+++ b/interface/forms/LBF/new.php
@@ -458,7 +458,8 @@ if (!empty($_POST['bn_save']) || !empty($_POST['bn_save_print']) || !empty($_POS
                         '?codetype=' + encodeURIComponent(codetype) +
                         '&code=' + encodeURIComponent(code) +
                         '&selector=' + encodeURIComponent(selector) +
-                        '&pricelevel=' + encodeURIComponent(f.form_fs_pricelevel ? f.form_fs_pricelevel.value : ""));
+                        '&pricelevel=' + encodeURIComponent(f.form_fs_pricelevel ? f.form_fs_pricelevel.value : "") +
+                        '&csrf_token_form=' + encodeURIComponent(<?php echo attr($_SESSION['csrf_token']); ?>));
                 }
                 return '';
             }
@@ -629,7 +630,8 @@ if (!empty($_POST['bn_save']) || !empty($_POST['bn_save_print']) || !empty($_POS
             $.getScript('<?php echo $GLOBALS['web_root'] ?>/library/ajax/code_attributes_ajax.php' +
                 '?codetype=' + encodeURIComponent(a[0]) +
                 '&code=' + encodeURIComponent(a[1]) +
-                '&pricelevel=' + encodeURIComponent(f.form_fs_pricelevel.value));
+                '&pricelevel=' + encodeURIComponent(f.form_fs_pricelevel.value) +
+                '&csrf_token_form=' + encodeURIComponent(<?php echo attr($_SESSION['csrf_token']); ?>));
         }
 
         // Respond to clicking a checkbox for adding (or removing) a specific product.
@@ -655,7 +657,8 @@ if (!empty($_POST['bn_save']) || !empty($_POST['bn_save_print']) || !empty($_POS
                 '?codetype=' + encodeURIComponent(a[0]) +
                 '&code=' + encodeURIComponent(a[1]) +
                 '&selector=' + encodeURIComponent(a[2]) +
-                '&pricelevel=' + encodeURIComponent(f.form_fs_pricelevel.value));
+                '&pricelevel=' + encodeURIComponent(f.form_fs_pricelevel.value) +
+                '&csrf_token_form=' + encodeURIComponent(<?php echo attr($_SESSION['csrf_token']); ?>));
         }
 
         // Respond to clicking a checkbox for adding (or removing) a specific diagnosis.
@@ -680,7 +683,8 @@ if (!empty($_POST['bn_save']) || !empty($_POST['bn_save_print']) || !empty($_POS
             $.getScript('<?php echo $GLOBALS['web_root'] ?>/library/ajax/code_attributes_ajax.php' +
                 '?codetype=' + encodeURIComponent(a[0]) +
                 '&code=' + encodeURIComponent(a[1]) +
-                '&pricelevel=' + encodeURIComponent(f.form_fs_pricelevel ? f.form_fs_pricelevel.value : ""));
+                '&pricelevel=' + encodeURIComponent(f.form_fs_pricelevel ? f.form_fs_pricelevel.value : "") +
+                '&csrf_token_form=' + encodeURIComponent(<?php echo attr($_SESSION['csrf_token']); ?>));
         }
 
         // Respond to selecting a package of codes.
@@ -690,7 +694,8 @@ if (!empty($_POST['bn_save']) || !empty($_POST['bn_save_print']) || !empty($_POS
             if (sel.value) {
                 $.getScript('<?php echo $GLOBALS['web_root'] ?>/library/ajax/code_attributes_ajax.php' +
                     '?list=' + encodeURIComponent(sel.value) +
-                    '&pricelevel=' + encodeURIComponent(f.form_fs_pricelevel ? f.form_fs_pricelevel.value : ""));
+                    '&pricelevel=' + encodeURIComponent(f.form_fs_pricelevel ? f.form_fs_pricelevel.value : "") +
+                    '&csrf_token_form=' + encodeURIComponent(<?php echo attr($_SESSION['csrf_token']); ?>));
             }
             sel.selectedIndex = 0;
         }
diff --git a/interface/super/edit_globals.php b/interface/super/edit_globals.php
index a9c0392f3..c8619f847 100644
--- a/interface/super/edit_globals.php
+++ b/interface/super/edit_globals.php
@@ -115,6 +115,11 @@ function checkBackgroundServices()
 // If we are saving user_specific globals.
 //
 if (array_key_exists('form_save', $_POST) && $_POST['form_save'] && $userMode) {
+    //verify csrf
+    if (!verifyCsrfToken($_POST["csrf_token_form"])) {
+        die(xlt('Authentication Error'));
+    }
+
     $i = 0;
     foreach ($GLOBALS_METADATA as $grpname => $grparr) {
         if (in_array($grpname, $USER_SPECIFIC_TABS)) {
@@ -149,6 +154,11 @@ if (array_key_exists('form_save', $_POST) && $_POST['form_save'] && $userMode) {
 }
 
 if (array_key_exists('form_download', $_POST) && $_POST['form_download']) {
+    //verify csrf
+    if (!verifyCsrfToken($_POST["csrf_token_form"])) {
+        die(xlt('Authentication Error'));
+    }
+
     $client = portal_connection();
     try {
         $response = $client->getPortalConnectionFiles($credentials);
@@ -193,6 +203,11 @@ if (array_key_exists('form_download', $_POST) && $_POST['form_download']) {
 // If we are saving main globals.
 //
 if (array_key_exists('form_save', $_POST) && $_POST['form_save'] && !$userMode) {
+    //verify csrf
+    if (!verifyCsrfToken($_POST["csrf_token_form"])) {
+        die(xlt('Authentication Error'));
+    }
+
     $force_off_enable_auditlog_encryption = true;
   // Need to force enable_auditlog_encryption off if the php openssl module
   // is not installed or the AES-256-CBC cipher is not available.
@@ -323,6 +338,7 @@ if (array_key_exists('form_save', $_POST) && $_POST['form_save'] && !$userMode)
       type: "POST",
       url: "<?php echo $GLOBALS['webroot']?>/library/ajax/offsite_portal_ajax.php",
       data: {
+        csrf_token_form: '<?php echo attr($_SESSION['csrf_token']); ?>',
         action: 'check_file'
       },
       cache: false,
@@ -355,6 +371,7 @@ if (array_key_exists('form_save', $_POST) && $_POST['form_save'] && !$userMode)
 <?php } else { ?>
   <form method='post' name='theform' id='theform' class='form-horizontal' action='edit_globals.php' onsubmit='return top.restoreSession()'>
 <?php } ?>
+<input type="hidden" name="csrf_token_form" value="<?php echo attr($_SESSION['csrf_token']); ?>" />
 
 <div class="container">
     <div class="row">
diff --git a/interface/super/edit_layout.php b/interface/super/edit_layout.php
index e31d623f7..931369bb4 100644
--- a/interface/super/edit_layout.php
+++ b/interface/super/edit_layout.php
@@ -1180,7 +1180,8 @@ function setListItemOptions(lino, seq, init) {
   $.getScript('layout_listitems_ajax.php' +
     '?listid='  + encodeURIComponent(list_id) +
     '&target='  + encodeURIComponent(target)  +
-    '&current=' + encodeURIComponent(current));
+    '&current=' + encodeURIComponent(current) +
+    '&csrf_token_form=' + encodeURIComponent(<?php echo attr($_SESSION['csrf_token']); ?>));
 }
 
 // This is called whenever a condition's field ID selection is changed.
diff --git a/interface/super/layout_listitems_ajax.php b/interface/super/layout_listitems_ajax.php
index 355ac7cba..d9d5bb92a 100644
--- a/interface/super/layout_listitems_ajax.php
+++ b/interface/super/layout_listitems_ajax.php
@@ -26,6 +26,11 @@
 
 require_once("../globals.php");
 
+//verify csrf
+if (!verifyCsrfToken($_GET["csrf_token_form"])) {
+    die(xlt('Authentication Error'));
+}
+
 $listid  = $_GET['listid'];
 $target  = $_GET['target'];
 $current = $_GET['current'];
diff --git a/interface/super/layout_service_codes.php b/interface/super/layout_service_codes.php
index 22cc5383e..79f7c73f7 100644
--- a/interface/super/layout_service_codes.php
+++ b/interface/super/layout_service_codes.php
@@ -48,6 +48,11 @@ function applyCode($layoutid, $codetype, $code, $description)
 <?php
 // Handle uploads.
 if (!empty($_POST['bn_upload'])) {
+    //verify csrf
+    if (!verifyCsrfToken($_POST["csrf_token_form"])) {
+        die(xlt('Authentication Error'));
+    }
+
     $thecodes = array();
     $tmp_name = $_FILES['form_file']['tmp_name'];
 
@@ -125,6 +130,7 @@ if (!empty($_POST['bn_upload'])) {
 ?>
 <form method='post' action='layout_service_codes.php' enctype='multipart/form-data'
  onsubmit='return top.restoreSession()'>
+<input type="hidden" name="csrf_token_form" value="<?php echo attr($_SESSION['csrf_token']); ?>" />
 
 <center>
 
@@ -137,7 +143,7 @@ if (!empty($_POST['bn_upload'])) {
  </tr>
  <tr>
   <td class='detail' nowrap>
-    <?php echo htmlspecialchars(xl('Source CSV File')); ?>
+    <?php echo xlt('Source CSV File'); ?>
    <input type="hidden" name="MAX_FILE_SIZE" value="350000000" />
   </td>
   <td class='detail' nowrap>
diff --git a/interface/super/load_codes.php b/interface/super/load_codes.php
index 33151bf14..f9938e72c 100644
--- a/interface/super/load_codes.php
+++ b/interface/super/load_codes.php
@@ -51,8 +51,13 @@ $code_type = empty($_POST['form_code_type']) ? '' : $_POST['form_code_type'];
 <?php
 // Handle uploads.
 if (!empty($_POST['bn_upload'])) {
+    //verify csrf
+    if (!verifyCsrfToken($_POST["csrf_token_form"])) {
+        die(xlt('Authentication Error'));
+    }
+
     if (empty($code_types[$code_type])) {
-        die(xlt('Code type not yet defined') . ": '$code_type'");
+        die(xlt('Code type not yet defined') . ": '" . text($code_type) . "'");
     }
 
     $code_type_id = $code_types[$code_type]['id'];
@@ -156,6 +161,7 @@ if (!empty($_POST['bn_upload'])) {
 ?>
 <form method='post' action='load_codes.php' enctype='multipart/form-data'
  onsubmit='return top.restoreSession()'>
+<input type="hidden" name="csrf_token_form" value="<?php echo attr($_SESSION['csrf_token']); ?>" />
 
 <center>
 
@@ -174,7 +180,7 @@ if (!empty($_POST['bn_upload'])) {
    <select name='form_code_type'>
 <?php
 foreach (array('RXCUI') as $codetype) {
-    echo "    <option value='$codetype'>$codetype</option>\n";
+    echo "    <option value='" . attr($codetype) . "'>" . text($codetype) . "</option>\n";
 }
 ?>
    </select>
@@ -182,7 +188,7 @@ foreach (array('RXCUI') as $codetype) {
  </tr>
  <tr>
   <td class='detail' nowrap>
-    <?php echo htmlspecialchars(xl('Source File')); ?>
+    <?php echo xlt('Source File'); ?>
    <input type="hidden" name="MAX_FILE_SIZE" value="350000000" />
   </td>
   <td class='detail' nowrap>
diff --git a/library/ajax/ccr_import_ajax.php b/library/ajax/ccr_import_ajax.php
index 849ff402d..16baae3ae 100644
--- a/library/ajax/ccr_import_ajax.php
+++ b/library/ajax/ccr_import_ajax.php
@@ -28,6 +28,11 @@
 require_once(dirname(__FILE__) . "/../../interface/globals.php");
 require_once(dirname(__FILE__) . "/../parse_patient_xml.php");
 
+//verify csrf
+if (!verifyCsrfToken($_GET["csrf_token_form"])) {
+    die(xlt('Authentication Error'));
+}
+
 if ($_REQUEST["ccr_ajax"] == "yes") {
     $doc_id = $_REQUEST["document_id"];
     $d = new Document($doc_id);
diff --git a/library/ajax/code_attributes_ajax.php b/library/ajax/code_attributes_ajax.php
index b138cafb1..c98ec85a8 100644
--- a/library/ajax/code_attributes_ajax.php
+++ b/library/ajax/code_attributes_ajax.php
@@ -17,6 +17,11 @@ require_once("../../interface/globals.php");
 require_once("$fileroot/custom/code_types.inc.php");
 require_once("$fileroot/interface/drugs/drugs.inc.php");
 
+//verify csrf
+if (!verifyCsrfToken($_GET["csrf_token_form"])) {
+    die(xlt('Authentication Error'));
+}
+
 function write_code_info($codetype, $code, $selector, $pricelevel)
 {
     global $code_types;
diff --git a/library/ajax/collect_new_report_id.php b/library/ajax/collect_new_report_id.php
index a9614991d..04f10e777 100644
--- a/library/ajax/collect_new_report_id.php
+++ b/library/ajax/collect_new_report_id.php
@@ -25,5 +25,7 @@
 require_once(dirname(__FILE__) . "/../../interface/globals.php");
 require_once(dirname(__FILE__) . "/../report_database.inc");
 
+
+
 //  Collect/bookmark a new report id in report_results sql table and send it back.
 echo bookmarkReportDatabase();
diff --git a/library/ajax/offsite_portal_ajax.php b/library/ajax/offsite_portal_ajax.php
index 5379e2bcf..18a17ca04 100644
--- a/library/ajax/offsite_portal_ajax.php
+++ b/library/ajax/offsite_portal_ajax.php
@@ -29,6 +29,11 @@ require_once(dirname(__FILE__)."/../../interface/globals.php");
 require_once("$srcdir/acl.inc");
 require_once(dirname(__FILE__)."/../../myportal/soap_service/portal_connectivity.php");
 
+//verify csrf
+if (!verifyCsrfToken($_POST["csrf_token_form"])) {
+    die(xlt('Authentication Error'));
+}
+
 if ($_POST['action'] == 'check_file' && acl_check('admin', 'super')) {
     $client = portal_connection();
     $error_message = '';
diff --git a/templates/documents/general_view.html b/templates/documents/general_view.html
index ea12d34ab..49adaac9c 100644
--- a/templates/documents/general_view.html
+++ b/templates/documents/general_view.html
@@ -113,10 +113,11 @@ function ImgProcedure() {literal}{{/literal}
     type: "POST",
     dataType: "html",
     data:
-    {
+    {{/literal}
+      csrf_token_form : "{$csrf_token_form|escape:'html'}",
       ccr_ajax : "yes",
-      document_id : docid,
-    },
+      document_id : docid
+    {literal}},
     success: function(data){
       alert(data);
       top.restoreSession();
-- 
2.11.4.GIT